Navigation

This script manages the tracking/logging of general information regarding
TCP, UDP, and ICMP traffic. For UDP and ICMP, “connections” are to
be interpreted using flow semantics (sequence of packets from a source
host/port to a destination host/port). Further, ICMP “ports” are to
be interpreted as the source port meaning the ICMP message type and
the destination port being the ICMP message code.

Normal establishment and termination. Note that this is the same symbol as for state S1. You can tell the two apart because for S1 there will not be any byte counts in the summary, while for SF there will be.

REJ

Connection attempt rejected.

S2

Connection established and close attempt by originator seen (but no reply from responder).

S3

Connection established and close attempt by responder seen (but no reply from originator).

RSTO

Connection established, originator aborted (sent a RST).

RSTR

Responder sent a RST.

RSTOS0

Originator sent a SYN followed by a RST, we never saw a SYN-ACK from the responder.

RSTRH

Responder sent a SYN ACK followed by a RST, we never saw a SYN from the (purported) originator.

SH

Originator sent a SYN followed by a FIN, we never saw a SYN ACK from the responder (hence the connection was “half” open).

SHR

Responder sent a SYN ACK followed by a FIN, we never saw a SYN from the originator.

OTH

No SYN seen, just midstream traffic (a “partial connection” that was not later closed).

If the connection is originated locally, this value will be T.
If it was originated remotely it will be F. In the case that
the Site::local_nets variable is undefined, this
field will be left empty at all times.

If the connection is responded to locally, this value will be T.
If it was responded to remotely it will be F. In the case that
the Site::local_nets variable is undefined, this
field will be left empty at all times.

Indicates the number of bytes missed in content gaps, which
is representative of packet loss. A value other than zero
will normally cause protocol analysis to fail but some
analysis may have been completed prior to the packet loss.

Records the state history of connections as a string of
letters. The meaning of those letters is:

Letter

Meaning

s

a SYN w/o the ACK bit set

h

a SYN+ACK (“handshake”)

a

a pure ACK

d

packet with payload (“data”)

f

packet with FIN bit set

r

packet with RST bit set

c

packet with a bad checksum (applies to UDP too)

t

packet with retransmitted payload

w

packet with a zero window advertisement

i

inconsistent packet (e.g. FIN+RST bits set)

q

multi-flag packet (SYN+FIN or SYN+RST bits set)

^

connection direction was flipped by Bro’s heuristic

If the event comes from the originator, the letter is in
upper-case; if it comes from the responder, it’s in
lower-case. The ‘a’, ‘d’, ‘i’ and ‘q’ flags are
recorded a maximum of one time in either direction regardless
of how many are actually seen. ‘f’, ‘h’, ‘r’ and
‘s’ can be recorded multiple times for either direction
if the associated sequence number differs from the
last-seen packet of the same flag type.
‘c’, ‘t’ and ‘w’ are recorded in a logarithmic fashion:
the second instance represents that the event was seen
(at least) 10 times; the third instance, 100 times; etc.